3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yishai Hadas <yishaih@xxxxxxxxxxxx>
commit 5533c18ab02b17a7f2ac11908e2d97d4b421617d upstream.
In procedure mlx4_ib_create_flow, passing an invalid port number
will cause an out-of-bounds array access. Data passed to this procedure
can come from user-space. Therefore, need to validate port number
before proceeding onwards.
Note that we check against the number of physical ports declared at
the verbs (ib core) level; When bonding is active, the verbs level
sees one physical port, even though the low-level driver sees two ports.
Fixes: f77c0162a339 ("IB/mlx4: Add receive flow steering support")
Signed-off-by: Yishai Hadas <yishaih@xxxxxxxxxxxx>
Reviewed-by: Jack Morgenstein <jackm@xxxxxxxxxxxxxxxxxx>
Reviewed-by: Moni Shoua <monis@xxxxxxxxxxxx>
Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
[bwh: Backported to 3.16:
- Adjust context
- Function returns an integer, not a pointer/error]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
drivers/infiniband/hw/mlx4/main.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -1016,6 +1016,9 @@ static int __mlx4_ib_create_flow(struct
[IB_FLOW_DOMAIN_NIC] = MLX4_DOMAIN_NIC,
};
+ if (flow_attr->port < 1 || flow_attr->port > qp->device->phys_port_cnt)
+ return -EINVAL;
+
if (flow_attr->priority > MLX4_IB_FLOW_MAX_PRIO) {
pr_err("Invalid priority value %d\n", flow_attr->priority);
return -EINVAL;
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html